[GEP-30] Drop webhook code unneeded with RemoveAPIServerProxyLegacyPort (#120)

* drop unneeded webhook code

* Drop "Internal flow" from README

* address PR feedback

* address PR feedback

Author: Johann Gnaucke

.gitignore

@@ -23,4 +23,3 @@ TODO
 
 vendor
 out
-certs

Makefile

@@ -42,11 +42,7 @@ run:
 		./cmd/$(EXTENSION_PREFIX)-$(NAME) \
 		--kubeconfig=${KUBECONFIG} \
 		--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION) \
-		--leader-election=$(LEADER_ELECTION) \
-		--webhook-config-mode=url \
-		--webhook-config-url="host.docker.internal:9443" \
-		--webhook-config-cert-dir=example/certs \
-		--webhook-config-server-port=9443
+		--leader-election=$(LEADER_ELECTION)
 
 .PHONY: debug
 debug:

README.md

@@ -43,37 +43,24 @@ Istio configures an envoy proxy using a set of
 We can hook into this mechanism and insert additional configuration, which
 further limits the access to a specific cluster.
 
-Broadly speaking, there are three different external traffic flows:
+Broadly speaking, there are two different external traffic flows:
 
 1. Kubernetes API Listener (via SNI name)
-1. Kubernetes Service Listener (internal flow)
-1. VPN Listener
+2. Apiserver-Proxy / Reversed-VPN Listener
+
+*Please note that this changed with [GEP-30](https://github.com/gardener/gardener/blob/master/docs/proposals/30-apiserver-proxy.md) as the dedicated Kubernetes Service Listener for the apiserver-proxy was removed.*
 
 These ways are described in more detail in the aforementioned GEP. Essentially,
-these three ways are all represented by a specific Envoy listener with filters.
+these two ways are all represented by a specific Envoy listener with filters.
 The extension needs to hook into each of these filters (and their filter chains)
-to implement the desired behavior. Unfortunately, all three types of access
+to implement the desired behavior. Unfortunately, all types of access
 require a unique way of handling them, respectively.
 
-![Listener Overview](./docs/listener-overview.svg)
-
 1. **SNI Access** - The most straightforward approach. Wen can deploy one
    additional `EnvoyFilter` per shoot with enabled ACL extension. It contains a
    filter patch that matches on the shoot SNI name and specifies an `ALLOW` rule
    with the provided IPs.
-1. **Internal Flow** - Gardener creates one `EnvoyFilter` per shoot that defines
-   this listener. Unfortunately, it doesn't have any criteria we could use to
-   match it with an additional `EvnoyFilter` spec on a per-shoot basis, and
-   we've tried a lot of things to make it work. On top of that, a behavior that
-   we see as [a bug in Istio](https://github.com/istio/istio/issues/41536)
-   prevents us from working with priorities here, which was the closest we got
-   to make it work. Now instead, the extension deploys a `MutatingWebhook` that
-   intercepts creations and updates of `EnvoyFilter` resources starting with
-   `shoot--` (which is their only common feature). We then insert our
-   rules. To make this work with updates to `Extension` objects, the controller
-   dealing with 1) also updates a hash annotation on these `EnvoyFilter`
-   resources every time the respective ACL extension object is updated.
-1. **VPN Access** - All VPN traffic moves through the same listener. This
+2. **Apiserver-Proxy / VPN Access** - All apiserver-proxy and VPN traffic moves through the same listener. This
    requires us to create only a single `EnvoyFilter` for VPN that contains
    **all** rules of all shoots that have the extension enabled. And, conversely,
    we need to make sure that traffic of all shoots that don't have the

charts/gardener-extension-acl/templates/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ include "name" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    high-availability-config.resources.gardener.cloud/type: webhook
+    high-availability-config.resources.gardener.cloud/type: controller
 {{ include "labels" . | indent 4 }}
 spec:
   revisionHistoryLimit: 0
@@ -43,10 +43,6 @@ spec:
         {{- if .Values.gardener.version }}
         - --gardener-version={{ .Values.gardener.version }}
         {{- end }}
-        - --webhook-config-namespace={{ .Release.Namespace }}
-        - --webhook-config-service-port={{ .Values.webhookConfig.servicePort }}
-        - --webhook-config-server-port={{ .Values.webhookConfig.serverPort }}
-        - --disable-webhooks={{ .Values.disableWebhooks | join "," }}
         env:
         - name: LEADER_ELECTION_NAMESPACE
           valueFrom:

charts/gardener-extension-acl/templates/rbac.yaml

@@ -133,6 +133,7 @@ rules:
   - create
   - update
   - patch
+  - delete
 - apiGroups:
   - networking.istio.io
   resources:

charts/gardener-extension-acl/templates/service.yaml

@@ -27,12 +27,6 @@ controllers:
 
 disableControllers: []
 
-webhookConfig:
-  servicePort: 443
-  serverPort: 10250
-
-disableWebhooks: []
-
 additionalAllowedCidrs: []
 
 # imageVectorOverwrite: |

charts/gardener-extension-acl/values.yaml

@@ -24,14 +24,15 @@ import (
 	"github.com/spf13/cobra"
 	istionetworkv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
 	istionetworkv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	componentbaseconfigv1alpha1 "k8s.io/component-base/config/v1alpha1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	"github.com/stackitcloud/gardener-extension-acl/pkg/controller"
 	"github.com/stackitcloud/gardener-extension-acl/pkg/controller/healthcheck"
-	"github.com/stackitcloud/gardener-extension-acl/pkg/webhook"
 )
 
 // NewControllerManagerCommand creates a new command that is used to start the service controller.
@@ -95,7 +96,6 @@ func (o *Options) run(ctx context.Context) error {
 	ctrlConfig := o.extensionOptions.Completed()
 	ctrlConfig.ApplyHealthCheckConfig(&healthcheck.DefaultAddOptions.HealthCheckConfig)
 	ctrlConfig.Apply(&controller.DefaultAddOptions.ExtensionConfig)
-	webhook.DefaultAddOptions.AllowedCIDRs = ctrlConfig.AdditionalAllowedCIDRs
 
 	o.controllerOptions.Completed().Apply(&controller.DefaultAddOptions.ControllerOptions)
 	o.healthOptions.Completed().Apply(&healthcheck.DefaultAddOptions.Controller)
@@ -105,11 +105,19 @@ func (o *Options) run(ctx context.Context) error {
 		return fmt.Errorf("could not add controllers to manager: %s", err)
 	}
 
-	if err := o.webhookOptions.Completed().AddToManager(ctx, mgr); err != nil {
-		return fmt.Errorf("could not add controllers to manager: %s", err)
+	// TODO(Wieneo): Remove this once a couple extension versions included the migration code
+	// migration code: remove mutating webhook from cluster as it is not served by this controller anymore
+	if err := mgr.Add(manager.RunnableFunc(func(ctx context.Context) error {
+		if err := client.IgnoreNotFound(mgr.GetClient().Delete(ctx, &admissionregistrationv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: ExtensionName}})); err != nil {
+			return fmt.Errorf("could not delete mutatingwebhook %s: %w", ExtensionName, err)
+		}
+		return nil
+	})); err != nil {
+		return fmt.Errorf("could not add runnable to manager: %w", err)
 	}
+
 	if err := mgr.Start(ctx); err != nil {
-		return fmt.Errorf("error running manager: %s", err)
+		return fmt.Errorf("error running manager: %w", err)
 	}
 
 	return nil

cmd/gardener-extension-acl/app/app.go

@@ -19,7 +19,6 @@ import (
 	"os"
 
 	extensionscmdcontroller "github.com/gardener/gardener/extensions/pkg/controller/cmd"
-	extensionscmdwebhook "github.com/gardener/gardener/extensions/pkg/webhook/cmd"
 
 	extensioncmd "github.com/stackitcloud/gardener-extension-acl/pkg/cmd"
 )
@@ -36,7 +35,6 @@ type Options struct {
 	controllerOptions  *extensionscmdcontroller.ControllerOptions
 	healthOptions      *extensionscmdcontroller.ControllerOptions
 	controllerSwitches *extensionscmdcontroller.SwitchOptions
-	webhookOptions     *extensioncmd.AddToManagerOptions
 	reconcileOptions   *extensionscmdcontroller.ReconcilerOptions
 	optionAggregator   extensionscmdcontroller.OptionAggregator
 }
@@ -65,14 +63,7 @@ func NewOptions() *Options {
 			MaxConcurrentReconciles: 5,
 		},
 		controllerSwitches: extensioncmd.ControllerSwitches(),
-		webhookOptions: extensioncmd.NewAddToManagerOptions(
-			ExtensionName,
-			&extensionscmdwebhook.ServerOptions{
-				Namespace: os.Getenv("WEBHOOK_CONFIG_NAMESPACE"),
-			},
-			extensioncmd.WebhookSwitchOptions(),
-		),
-		reconcileOptions: &extensionscmdcontroller.ReconcilerOptions{},
+		reconcileOptions:   &extensionscmdcontroller.ReconcilerOptions{},
 	}
 
 	options.optionAggregator = extensionscmdcontroller.NewOptionAggregator(
@@ -83,7 +74,6 @@ func NewOptions() *Options {
 		options.extensionOptions,
 		extensionscmdcontroller.PrefixOption("healthcheck-", options.healthOptions),
 		options.controllerSwitches,
-		options.webhookOptions,
 		options.reconcileOptions,
 	)
 

cmd/gardener-extension-acl/app/options.go

@@ -4,7 +4,7 @@ kind: ControllerDeployment
 metadata:
   name: acl
 helm:
-  rawChart: H4sIAAAAAAAAA+0ca3PbNjKf+StwzHWSdELqYVluOZOZuo4v9UycaJycOzedjgciIQk1SfAAUo7yuN9+C4Av8WFKtmM3rfaDTAKLxQL7wAILeo65R0LCLfIhJqGgLLSw6/ce3SX0AQ7299VfgOpf9TzYGw2G+8PxWJYPRoPB4BHav1MuWiARMeYIPeKMxdfhddV/ozBvlr+9IH5A5yHj5PZ9SAGPR6NW+YPYK/IfD0fjR6h/+6674W8u/8doguOY8FCgmCEtcXS1ICGaJtT3aDhHEXYv8ZwI23iM3i+oQCKJIsZjeAAt8dHcZ1MU4NhdAPZzxImPY7ok0C5elMpx6AGBkMyhloXoacTJjH4gHrqigPePZzZ6G/orxELVUrKEIsKRT0NiG/bLdxfvYuANSByxIAAC50fvkEe5MOw5jXvqV7Nv2NOPvKd+s4LFvCd/slexDHsFoSmML4nQjPpEGN/b4iqC3ym+hN84gOf/Aeo55pQlAp28PIYOI87+IG5s2NQjuKfxoMiwl8JlHukZDy3VzaHF/o8WmMf2Cgf+HfTRZf/D/kHV/vt7+zv7vw/AET0nXMrdQcuBgaMofzUHdt80PCJcTqNYFR2iX2BdQK7UDjRjHMULgl6lKoQOj16jXI1sI8QBcVCzghnLrJe+Dd18QwbzF4MW+49JEIEbJ+IuIsHt47/xAFzCLv67B+iU/wWs8bAOCzuObroWdPj/wXBY8f/D/mhvb+f/7wM+fbKQB4EYRF2mdNgmsr58MVqctkQmoadQjHJLH0+JL2xYPexLstI01EsyhTiOgB7ZlPUk/TUaLSSW2E9SRj59QjR0/cTL2bNR2vAaRuptqwxKKg5qwUj7Vz3VR0FD0JjQJaq5fUZ8ggWx3wBz13JGA4ihNWMIyQo6Q5c09E4EMkXMIUSGHs9lz9CLxEU5ZksxsEsklQUWExVLA6EFHu6PnQolO8bzolkEfcUzZH4nfvpOVDE5iZigEGivriOhem4g6NyYIMxYafK+fHlos/jbQKf/d1k4o/MAR5aS2xL2PYxbDOK3K05jsskeoSv+H42r/n9/eDDa+f/7gNQTrdnmuZLx20zE0jItyzIqWwXpvBzYQ0v1OMWREZAYezjGDti0Dv2bnXezHqWNRISbPKsq1u5C+2mnwbtL8p+hEPQ5RiPA/mJk/KguxcW61jros6Ry7dDX6P0V/VOn/Xsk8tkqgDm48XFAh/3vjw+q9j8YHAx39n8fUDVsiHdEL7ful7nwNzbvrQ0ZASzofGHhJaZQSH0aryy97ED4IFjCXTDPTFFt12eJ14tXEZC/ItMFY5ebOANDRMSVvXGypHKsv1Ahw5LXNKCxg/qqJvKpi4VmO3ULaeERS4CQYlzAeKSX0KyrA87XmzmlsSaQGVdKoDSxEnAYslidkYqsaEMnjVJwF8S9FElQWrsL6270vmvCfKoCOvRP+33Kp/0ziG8iT3PNjcIB85katA5GgY+Ct1KspwvKSiABouwrxkH55jWBM8uDGUHY99kV8TZrwUFoNCAWaLggHJgs2neI6oeMx0xtJMDEMBjl6sjHQrxZP94SKwFytX7s91Nk2SF1yaHrStV5c73JKLGxMMawV+D5fFhdlqZBSWIdK91t1NEmie9PGGj0ak3LK3XlZpjPSwKykGUF+IO0TzfhHKbK4kS+yNPzFyWKcjSc+b48OiiQ361CV5SpS3oLgv14obR2e9qlxl39eFTgqU+sUvMy1bT6qKgFdfiD0RCZz80qLZ1KsFhEuLJVqzDbNk51k7dZi8O8QZU2uEtPrsjSzSiT9V60hFIVzDUq6pDWkkmYFz31LPLqij/Bnkdlc+wfauM4oh6vzV6BZaU2ZLkSrzzcFkrN01hzBjXGcoNOT4urLOXGl9aXWbmubUPPkly6mqRrj5UvYy+uWcVaW6fmb8lMWZmvFE3HzXaKNQGkDejBSLvJEd5ELdP9FL9J8X9Nq1rERcJl2Q1oz/T6+PDl8dnF8evjo/cnb99cvDk8PX43OTw6zjERUscp/+IscEqFCM0o8b0zMlsvTcvlauPkS6Odi6JNU7qWxIzfk9PDV8fnwOzbs4u358dnv56dvK/x6qDUYIoNQ69xB7GFKueBTBknL1SRQ8z+AzQbWnxGMadBsTYN+h3KLAi4QblOgfeBlb88w8p0J5wuwafOybFwsY91bmeGfXHj+V0yPwnIqVzpRF1LOqKPEnuBpKCFX5dBCY+D45PpYgemJiHtc7HVMPQgaqvvpty72Va4PN832gln4JEZTvz4lHlAYzTslwaVjvLW8X/n/i9i4NMFT1QGcJp4c7L1RrDz/seocv9juNc/2N3/uBdIDWQeo6cy6G/a9TxDg6YjoEhFisVeccK8l7mi/KwU5ettGrfZ8EFI+e8w3Vz6mrxIpp3jvfVG7y7N9KtBp/3zKXZveRGkw/5He1C3nv89OJD53539f32oWrUSN07iBWx0P6rIwL78QeW9iiNfH+aM8DPmk20MfBvT5Ykv12ELAWuvOEsitShb5c0+FcAc8AXlsHJOUwTpdORfH6rVw5W0WvUU5U9JBCwT9ehCIJE+emDt6rEUlclyiHvZakZ9GLKoc5SbTfWEqk7I1fMmdG+hkHtb7ulXGs44FhDLuHECzTYa1G14KVArrz0whzjZjIHGWa1x1XaEV2cqwCHEQ15e2sFESXZXTbItWEtFW2PNNOtM5OvQDYUAryU5aNtp0AVQBRZkhSpHrDbOLZ2WhlobYH3C20y4VSU584moFkzBIMHQdHmBUanaktltpWHCVoaTWJj6DYLlUL98ZcWQx+BN7BTZkE4uiq5vOiEuA/9Aw+tFqMKkiiTSDm9JMCtXIZiu2/gYqsRMacjZHLWZjhdQIe2GkznMIr+ezyCRp2fhPD3R0LuvRDfa3H9tZVnNy0+FrzkQucKrDd3HrZbfn7UdfrVVGLpID2iyibiGQ8Cqxwcd/EAcLi9Sq6VeN363dmrePZ5Ntg0PHWP9maEz/k9PKG+zBei6/7c3qt//G/V38f99QOvFjtQQ734LX8tvlrxqa7p3xllgAZbvWTFTh+DCQU9++2RGnMXMZb7pmO+PJuZzU9aZzmYn5F9+f7IdB9j383N5UBtw6iJPhjwEUxHzLOW9reysoshaAGNU5rLXQv2bnJ/oVHvq1U8mRvlgZBM6COmp0SsrPK5lHjvzIdlkOgjmUpXomZ90UypSIQ9tZn9a2NT/Y70g32gZ6Dr/3RsMKv5/CIU7/38f0OX/s0DsQU9yIdxkKjO0ztR7dknyxNVDT+Q3Cp32v4zwbb8D7Iz/xtXvfw/2x7vz33uBSoJUSpuEMk/iNeV8pCHKlLEMSqr7UkCKKdRNmHeYohF+135DxyQNTGchUvn+0nqZDjbzS1aqkJazvXmVvqv15PsnRp6WpmF6oaWc23WjRLHKyX8TymHGzHaO7IKEDe0QFXkz85qBVJuVUu7y5mDA+OpGLOimN+Eibbme38pisvw6R9OVUlleu1balSMHBH0uUxaiLtFp8VIAKBkvI9sF3jeTj7tvaPH/Sz2jd/MBeJf/H433qt9/7vV3+/97AX13VDnL7EMtB80XLpe+HabGvaSx3mu2fBMoTX/uIBUsxEbtjunJ7A2LJ+BOpLEb5TS7g4ayoHR2Kl0REEldsvKu5n4/MI2yszPHo1NqGgYYu8RLF6v8HlCTz697b0UbSBvrjlSS7nQ4plzdgIHS1U6JVLl7CuShsPXKZ3HdqnR/NV+hqoSM+tVUB/32u2GsbXkdI790rPfGo9FeWqQ3wg4a9If7/ZxcduFP02q+u6nrHqOmm1PyA5rHKPu6xlHPxaUpDBEkUWXAg5LJWUnFFnEcCafXE+7iCvOPNP7JI0sbf0w4sV0WFOXFky0uSe9C/rOPlHjpIm/aT1mJOZnbKq0q29kk6Q/sVJ/TwxNJbp1Npclm3x7aP4KAM4V39El++k8RzN3isYMd7GAHO/j24f+8Oi9HAFAAAA==
+  rawChart: H4sIAAAAAAAAA+0ba2/bOLKf9St47i22XazkR2xn10CBTdNcN0DzQNLL4XA4BLREy9xIoo6knLqP++03JGVJ1iNyHk2uXc8HWxoOh0POg8OHfMw9EhFukw+SRIKyyMZu0H32kNAD2B2N9D9A+V8/93eG/cFoMB4rfH/Y7/efodGDStEAiZCYI/SMMyZvomsr/0bBr9e/MydBSP2IcXL/NpSCx8Nho/5B7SX9jwfD8TPUu3/T7fAn1/9zdIqlJDwSSDJkNI6u5yRC04QGHo18FGP3CvtEONZz9H5OBRJJHDMu4QGsJEB+wKYoxNKdA/XPiJMAS7ogUE/OC3gcecAgIj6Usgi9iDmZ0Q/EQ9cU6P7y0kEnUbBELNI1lUgoJhwFNCKO5bw5vzyXIBuw2GdhCAwu9s+RR7mwHJ/Krv414lvO9CPv6t8VYu531c/qVSyibs5oCv1LYjSjARHWT464juF3iq/gV4bw/F8gvcCcskSgwzcH0GDM2R/ElZZDPYK7hg5QlrMQLvNI13pqrW4ODf6/P8dcOkscBg/QRpv/D3q7Zf/v7Yy2/v8YgGN6QbjS+wQt+haO4+y103d6HcsjwuU0lhq1h36HeQG5yjrQjHEk5wS9TU0I7e2/Q5kZOVaEQzJB9QZmLVat9Bxo5htymO8MGvxfkjCGME7EQ2SCt8//xn0ICdv87xGgVf+XMMfDPCwcGd91LmiJ//3BoBT/B73hzs42/j8GfPpkIw8SMci6Oipgd5D95YvVELQVMYk8TWIVawZ4SgLhwOzhXJGl4aFfkinkcQTsyKGsq/iv8WhgscBBkgry6ROikRskXiaeg9KKNwhSrVsWUHGZoAaKtH3dUrUXNAKLiVyiqztnJCBYEOcYhLtRMhpCDm0EQ0gV0Bm6opF3KFBHSA4pMrR4oVqGVhQtyigb0CAuUVzmWJzqXBoYzfFgNJ6UODkS+3m1GNqSM9T5Qfz2gyhTchIzQSHRXt7EQrdcw3ByZ4YwYoXB+/Llqd3iTwOt8d9l0Yz6IY5trbcFrHsYtxnkb9ecSrLJGqEt/x+Oy/F/NNgdbuP/Y0AaidZ880Lr+GSlYuWZtm1bpaWCCl4TWEMr8zjCsRUSiT0s8QR82qT+9cG73o7SSiLGdZFVo024MHF6UhPdFfvPgAR7lmgI1F+slTy6SXG5brUT9FlxubHra/y+x/jU6v8eiQO2DGEM7rwd0OL/o8GwlP8P+v3R1v8fBcqODfmO6Gbe/SZT/sbufWtHRgBz6s9tvMAUkDSgcmmbaQfSB8ES7oJ7rgzVcQOWeF25jIE9UEnOgoDwTeKBJWLiqgY5WVDV3d+pUJnJOxpSOUE9XRIH1MXCSJ5GhhS5zxJgpGUX0CUVKIz0eo/z3WZxaWwYrPwrZVAYWwU4ipjU26RihdowTqMU3Dlxr0QSFqbv3MFrA/CaPl/onA791Xmfyum8Bg2eqg3dzkYZQeel7rTJR0GOXLZCumcQRTtQAIn2NeNgf35F58z2YEQQDgJ2TbzNanBQGg2JDUYuCAch8/otqvplJePKbBTAwDDo5XI/wEIcr+9wiaUAvdq/9nopsWqQumTPdZXpHN/sNVptYM8Ylgs8Gw+7zdkMaE2sU6ULjirZaRIEpwwserlm5aWyYjXM/YKCbGTbIf6gXNRNOIehsjlRL2oD/VWBY+6d+jklPl9GrihyV/zmBAdyrq329rwLldva8ajA04DYhepFrmnxfl4K5vAHoxHq/Nwp8zKnCTaLCde+audu2ySpqXKyqrGXVSjzhojpqUlZhRntst6rhmyqRLnGRe/T2uoc5lVXP4usuBRPsOdRVR0He8Y59qnHK6OXU9mpD9muoit2t4FT/TBWgkFFsMyh0w3jskiZ86XlRVFuqlvTMokWRSM3fvfuYO/NwdnlwbuD/feHJ8eXx3tHB+ene/sHGSVCer/gb5yFkwISoRklgXdGZuvYFK9i6SQL/E42ZTaNQ1vAX8l7eLT39uAChD05uzy5ODj7x9nh+4qsE5SaQ54Rd2tT5FsoKpupizQZUs+Lkv0TeNbU+Iwkp2Eeefu9FlUJAk6uojD4FsxrxRHWhnnK6QIihk8OhIsDbA4vZjgQdx7fBQuSkBypOC6qVtIytxbECxUHo/yqDgp0HNxanYdOYGgS0jwWt+qG6URlbtlUene11iuO952WeivwyAwngTxiHvAYDnqFTqW9fOr8+HuH1vVfzCCgC57oE8Bp4vnk1gvB1vsfw9L9j8FOb3d7/+NRII0fvkQvVMZft+R5ifp1W0CxThPzteIp895khvJaG8rXWzTeZrUH+eTfo3RxGRj2Ipm29vfeq7xvIoq1+j+fYveeF0Fa/H+4Myrf/9jd7W/P/x4Fyl6t1Y0TOYdV7kedODlXv+hzr3zLN4AxI/yMBeQ2Dn4b1+VJoNIUG4FobzlLYp2z2MWVPhUgHMgFeEgspimBCjrqP4Bi/XCtvFY/xdlTEoPIRD+6kGeljx54u34sJK0KD8sCtpzRALosqhJlblPeoaoycs24CdNaJNTClnvmlUYzjgWkeq5MoNpGnbqPLDlp6bUL7iCTzQSoHdWKVE1beFWhQhxBuuhl2BYhCrq7rtNtLlqq2oponU5ViGweuqMS4LWgB+M7NbYApsDCFVKfEetVc0Ojha5WOlgd8CYXbjRJzgIiyogpOCQ4msHnFKWiWwp7W210YKXHiRQd8wZrici8fGXDUNvgdeLkpyGtUuRN33VAXAbxgUY3q1CnSSVNpA3ek+EKr1MwU7bxHlRBmEKXV2PU5DpeSIXyG058GEV+s5xhorbOIv+aTOeMXZnFaWIqbR6/7qqb+pmoJKIP/K7xcsNIcq+Z+LVxya82IUMT6VbWaiBukBCoqqlCizyQkqs71XrWN5XP13bP2/uzyQriqdOt/ztozf/TMwxstHCnlUDb+n+n3y+t/weA3Ob/jwGNFztK3vekK3mIMUxvnK4L9Z5dkWxf96kH8huFVv9fxPi+34G03f/dGZe//9odjXe3/v8YUDo/UNomkdon8+r2/JQjqhMVlfaUkxEgkhTKTpm3l5IR/tBxw+zp1Qi9yryKh9frOLOLl52wayQtHoZkReag/seffrSyUxsapaeZxaMPN060qJz8J6EcRqzTLJGTs3CgHqIiq9a5oSPlaoUTKXVtJGR8eScRTNW7SJHWXN/fRAicCPLa7LSz7kqRwleuFbUdIQGBycuLSjQYc2pUOO9VgheJnZzum9mPfWxoiP8LM6IP8wFga/wfVr7/2+n1t/H/McBcHNLBcnVRf4L8uctVbIehca+oNHepGr4JUa7vT5BOFqRVuWB0ODtm8hTCiXJ2q3jMMkEDhSgsmFUoAiZpSNbRtTPqhR2rGOw64+ER7VgWOLuiSyer7Ji8LuZXo7fmDayt9UCqWLcGnI6a3UCAwr0eRVS6eATsAdl43ye/jVC4vJTNUGVGVvVe0gT969+WVX/ZxpQ9R3WXAdSl5+dodSN6op/zewAYsj6icQiZcTwrmMVcylhMul3hzq8x/0jlbx5ZOPhjwonjsjDH50+OuCLdS/WBdsq8cPMqbadoeJz4jt4KV/UckvT6TmqD6YU+xW5dTG19nZ4zcH4FpayMdGK2XNIPWTvbgL+FLWxhC1vYwha2sIUtbGEL/wPUroXXAFAAAA==
   values:
     image:
       tag: latest